Skip to main content
SpringerLink
Log in

Third-Party Identity Management Usage on the Web

  • Conference paper
Passive and Active Measurement (PAM 2014)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 8362))

Included in the following conference series:

Abstract

Many websites utilize third-party identity management services to simplify access to their services. Given the privacy and security implications for end users, an important question is how websites select their third-party identity providers and how this impacts the characteristics of the emerging identity management landscape seen by the users. In this paper we first present a novel Selenium-based data collection methodology that identifies and captures the identity management relationships between sites and the intrinsic characteristics of the websites that form these relationships. Second, we present the first large-scale characterization of the third-party identity management landscape and the relationships that makes up this emerging landscape. As a reference point, we compare and contrast our observations with the somewhat more understood third-party content provider landscape. Interesting findings include a much higher skew towards websites selecting popular identity provider sites than is observed among content providers, with sites being more likely to form identity management relationships that have similar cultural, geographic, and general site focus. These findings are both positive and negative. For example, the high skew in usage places greater responsibility on fewer organizations that are responsible for the increased information leakage cost associated with highly aggregated personal information, but also reduces the user’s control of the access to this information.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Armando, A., Carbone, R., Compagna, L., Cuellar, J., Pellegrino, G., Sorniotti, A.: From multiple credentials to browser-based single sign-on: Are we more secure? In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 68–79. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  2. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: Proc. IEEE Symposium on S&P (May 2012)

    Google Scholar 

  3. Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of oauth v2.0. Technical report, Cryptology ePrint Archive, Report 2011/526 (2011)

    Google Scholar 

  4. Dhamija, R., Dusseault, L.: The seven flaws of identity management: Usability and security challenges. IEEE Security & Privacy 6(2), 24–29 (2008)

    Article  Google Scholar 

  5. Gill, P., Arlitt, M., Carlsson, N., Mahanti, A., Williamson, C.: Characterizing organizational use of web-based services: Methodology, challenges, observations, and insights. ACM Transactions on the Web (TWEB) 5(4), 19:1–19:23 (2011)

    Google Scholar 

  6. Lodderstedt, T., McGloin, M., Hunt, P.: Oauth 2.0 threat model and security considerations. Internet-Draft, IETF (October 2011)

    Google Scholar 

  7. Miculan, M., Urban, C.: Formal analysis of facebook connect single sign-on authentication protocol. In: Proc. SOFSEM (January 2011)

    Google Scholar 

  8. Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of oauth 2.0 using alloy framework. In: Proc. CSNT (June 2011)

    Google Scholar 

  9. Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing 7(6), 38–44 (2003)

    Article  Google Scholar 

  10. Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In: Proc. ACM CCS (October 2012)

    Google Scholar 

  11. Sun, S.-T., Boshmaf, Y., Hawkey, K., Beznosov, K.: A billion keys, but few locks: The crisis of web single sign-on. In: Proc. NSPW (September 2010)

    Google Scholar 

  12. Sun, S.-T., Hawkey, K., Beznosov, K.: Systematically breaking and fixing openid security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security 31(4), 465–483 (2012)

    Article  Google Scholar 

  13. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: Proc. IEEE Symposium on S&P (May 2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Linköping University, Linköping, Sweden

    Anna Vapen, Niklas Carlsson & Nahid Shahmehri

  2. NICTA, Sydney, NSW, Australia

    Anirban Mahanti

Authors
  1. Anna Vapen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Niklas Carlsson
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anirban Mahanti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nahid Shahmehri
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, University of New Mexico, Engineering Building II, 87131, Albuquerque, NM, USA

    Michalis Faloutsos

  2. EECS Department, Northwestern University, 2145 Sheridan Road, 60208, Evanston, IL, USA

    Aleksandar Kuzmanovic

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N. (2014). Third-Party Identity Management Usage on the Web. In: Faloutsos, M., Kuzmanovic, A. (eds) Passive and Active Measurement. PAM 2014. Lecture Notes in Computer Science, vol 8362. Springer, Cham. https://doi.org/10.1007/978-3-319-04918-2_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-04918-2_15

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04917-5

  • Online ISBN: 978-3-319-04918-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation